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Abstract. The McEliece cryptosystem is a public-key cryptosystem based on cod- 
ing theory that has successfully resisted cryptanalysis for thirty years. The original 
version, based on Goppa codes, is able to guarantee a high level of security, and is 

■ faster than competing solutions, like RSA. Despite this, it has been rarely consid- 
ered in practical applications, due to two major drawbacks: i) large size of the pub- 
lic key and ii) low transmission rate. Several attempts have been made for overcom- 
es^ , ing such drawbacks, but the adoption of most families of codes has not been possi- 

■ ble without compromising the system security. Low-Density Parity-Check (LDPC) 
' codes are state-of-art forward error correcting codes that permit to approach the 

^-j. ' Shannon limit while ensuring limited complexity. Quasi-Cyclic (QC) LDPC codes 

I , are a particular class of LDPC codes, able to join low complexity encoding of QC 

f'v i codes with high-performing and low-complexity decoding techniques based on the 

• ■ belief propagation principle. In a previous work it has been proposed to adopt a 

' particular family of QC-LDPC codes in the McEliece cryptosystem to reduce the 

key size and increase the transmission rate. It has been shown that such variant is 
able to counter all the classic attacks, and also attacks that can compromise the se- 
1 curity of previous LDPC-based versions. Recently, however, new attacks have been 

found that are able to exploit a flaw in the transformation from the private key to 
the public one. Such attacks can be effectively countered by changing the form of 
, some constituent matrices, without altering the system parameters. This change has 

» I ■ marginal effects on the complexity of the cryptosystem that, instead, preserves its 

' security against all known attacks. This work gives an overview of the QC-LDPC 

codes-based McEliece cryptosystem and its cryptanalysis. Two recent versions are 
considered, and their ability to counter all the currently known attacks is discussed. 
A third version able to reach a higher security level is also proposed. Finally, it is 
shown that the new QC-LDPC codes-based cryptosystem scales favorably when 
larger keys are needed, as very recently pointed out by the successful implementa- 
tion of an attack against the original cryptosystem. 
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Introduction 

First presented by Robert J. McEliece in 1978 [ 1 j, the McEliece cryptosystem represents 
one of the most famous examples of error correcting codes-based public key cryptosys- 
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tern. It adopts generator matrices of linear block codes as private and public keys, and 
the combination of a dense transformation and a permutation to hide the structure of the 
secret code into the public generator matrix. Its security lies in the difficulty of decoding 
a large linear code having no visible structure, that is an NP complete problem [2J. The 
McEliece cryptosystem has successfully resisted cryptanalysis for thirty years, and no 
algorithm able to realize a total break in a reasonable time has been found up to now. 

Attacks achieving the lowest work factors aim at solving the general decoding prob- 
lem, that consists in deriving the error vector affecting a codeword of an (n, fc)-linear 
block code (i.e., having length n and dimension k). It can be shown that this problem can 
be translated into that of finding the minimum weight codeword in an (n, k + l)-linear 
block code, so the McEliece cryptosystem can also be attacked by means of algorithms 
aimed at finding low weight codewords. 

A first decoding attack was already proposed by McEliece in his paper [ 1 ] and is 
based on the principle of information set decoding. It consists in selecting k bits of the 
ciphertext and inverting the encoding map, hoping that none of them is in error. This 
attack has been further improved by Lee and Brickell [3|, who proposed a systematic 
procedure for validating the decoded words and showed that the attack can be attempted 
also when the chosen information set is affected by a small number of errors. 

More recent decoding attacks are instead based on probabilistic algorithms searching 
for low weight codewords. Stern's algorithm |4) is among the most famous ones, and 
it has been later improved by Canteaut and Chabaud [5 1. Very recently, Bernstein et al. 
have proposed a highly efficient implementation of the attack based on Stern's algorithm 
H, that is able to achieve a speedup of about 12. The improved algorithm has been run 
on a computer cluster, and an encrypted codeword of the original McEliece cryptosystem 
has been correctly deciphered, thus proving the feasibility of an attack for the original 
choice of the system parameters. 

Despite this, no polynomial time attack has been found up to now, and the system 
remains secure, provided that large enough keys are adopted in order to reach suitable 
work factors on modern computers. In addition, the McEliece cryptosystem can be con- 
sidered to be a post-quantum cryptographic system Q, since no polynomial time algo- 
rithm able to exploit quantum computers for an attack has been found up to now. On the 
contrary, Shor presented a quantum polynomial time algorithm for calculating discrete 
logarithms that should be able to break RSA, DSA and ECDSA 0. 

Moreover, the original version of the McEliece cryptosystem, based on binary 
Goppa codes with irreducible generator polynomials, can be two or three orders of mag- 
nitude faster than RSA. However, unlike RSA, the original McEliece cryptosystem has 
been rarely considered in practical applications, due to its two major drawbacks: large 
keys and low transmission rates. Many attempts have been made for replacing Goppa 
codes with other families of codes in order to overcome such drawbacks, but they al- 
ways compromised the system security. This occurred for Generalized Reed-Solomon 
Codes [9] and Reed-Muller codes [10|. Successful total break attacks have also been 
conceived for some versions adopting Quasi-Cyclic (QC) codes fiTl and Low-Density 
Parity-Check (LDPC) codes I12I13I . 

LDPC codes represent the state of the art in forward error correction and are able to 
approach the ultimate capacity bounds lTT4ll . Their performance under belief propagation 
decoding depends on the characteristics of their sparse parity-check matrices and their 
design can be performed on a random basis. Thus, it is possible to obtain large families 



of equivalent codes, that is the first requisite for their application in cryptography. The 
adoption of LDPC codes in the McEliece cryptosystem can yield many advantages: the 
sparse nature of their parity-check matrices could help to reduce the key size, at least 
in principle, and their easy design could allow to increase the transmission rate. Unfor- 
tunately, the usage of LDPC matrices as public keys can compromise the system secu- 
rity fl 1 2.1 1311 51 . For this reason, it has been proposed to adopt public keys in the form of 
generator matrices of a particular family of QC-LDPC codes, that are structured LDPC 
codes. Their structured character allows to reduce the key size though using dense gen- 
erator matrices. 

Even with this choice, the adoption of sparse and block-wise diagonal transforma- 
tion matrices can still expose the cryptosystem to total break attacks [ 1 6 1 ; so, the original 
proposal has been recently revised in such a way to not include this kind of matrices. 
The new cryptosystem is immune against all currently know attacks, it allows a signifi- 
cant reduction in the key size with respect to the original version and achieves increased 
transmission rate. Furthermore, the size of its public keys increases linearly with the code 
dimension; so the new cryptosystem scales favorably when larger keys are needed for 
facing the growing computational power of modern computers. 

The paper is organized as follows: Section Q] describes the original McEliece cryp- 
tosystem, while Section|2]is focused on its variants based on LDPC codes. In Section[3] 
the most dangerous attacks against the cryptosystem security are studied, together with 
their possible countermeasures. Section|4]is devoted to the complexity assessment of the 
considered cryptosystems and Section|5]concludes the paper. 



1. The original McEliece cryptosystem 

Inspired by the introduction of asymmetric cryptography by Diffie and Hellmann ifTTl . 
McEliece proposed his code-based public key cryptosystem starting from the observation 
that a fast decoding algorithm exists for a general Goppa code, while the same does not 
occur for a general linear code H] . 

In the McEliece cryptosystem, Bob randomly chooses an irreducible polynomial of 
degree t over GF(2 m ), that corresponds to an irreducible Goppa code of length n = 2 m 
and dimension k > n — tm, able to correct t or fewer errors in each codeword. Then, 
Bob produces a k x n generator matrix G for the secret code, in reduced echelon form, 
that will be part of his secret key. The remaining part of the secret key is formed by two 
other matrices: a dense k x k non singular matrix S and a random n x n permutation 
matrix P. 

Then, Bob produces his public key as follows (the inverses of S and P are used here, 
rather than in the decryption map, for consistency with the notation used for the new 
proposals): 

G' = S 1 G P" 1 . (1) 

Alice, in order to send encrypted messages to Bob, fetches his public key G' from 
the public directory, divides her message into fc-bit words, and applies the encryption 
map as follows: 



x = u • G' + e, 



(2) 
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Figure 1. The original McEliece cryptosystem. 

where x is the ciphertext corresponding to the cleartext u and e is a random vector of t 
intentional errors. 

Bob, after having received the encrypted message x, inverts the secret permutation, 
thus finding a codeword of the secret Goppa code affected by the vector of intentional 
errors e • P, having weight t: 



x' = x-P = u S 1 G + e- P. 



(3) 



By exploiting Goppa decoding, Bob is able to correct all the t intentional errors. Hence 
he can obtain u • S _1 , due to the systematic form of G, and then recover u through 
multiplication by S. The main blocks of the McEliece cryptosystem are shown in Figure 

In his original formulation, McEliece adopted Goppa codes with length n = 1024 
and dimension k = 524, able to correct up to t = 50 errors. The key size is hence 
nxk = 67072 bytes, and the transmission rate is k jn « 0.5. On the other hand, the RSA 
system with 1024-bit modulus and public exponent 17 has keys of just 256 bytes and 
reaches unitary transmission rate (i.e., encryption has no overhead on the transmission). 

However, it must be considered that the McEliece cryptosystem is significantly faster 
than RSA: it requires 514 binary operations per bit for encoding and 5140 for decoding. 
On the contrary, RSA requires 2402 and 738112 binary operations per bit for encoding 
and decoding, respectively |5|. 



2. LDPC codes in the McEliece cryptosystem 

In this section a recent version of the McEliece cryptosystem based on QC-LDPC codes 
is described. It exploits the peculiarities of QC-LDPC codes for overcoming the draw- 
backs of the original system and it is able to resist all attacks currently known. 

First, some basic properties of QC-LDPC codes are reminded, then it is shown how 
the McEliece cryptosystem should be modified in order to use these codes as private and 
public keys without incurring in security issues. 



2.1. QC-LDPC codes based on difference families 



LDPC codes represent a particular class of linear block codes, able to approach chan- 
nel capacity when soft decision decoding algorithms based on the belief propagation 
principle are adopted [ 14 1. 

An (n, k) LDPC code C is defined as the kernel of a sparse (n — k)xn parity-check 
matrix H: 

C = {c e GF(2) n : H • c T = 0} . (4) 

In order to achieve very good performance under belief propagation decoding, the parity- 
check matrix H must have a low density of 1 symbols (typically on the order of 10 -3 ) 
and absence of short cycles in the associated Tanner graph. The shortest possible cycles, 
that have length four, are avoided when any pair of rows (columns) has supports with no 
more than one overlapping position. 

These conditions suffice to obtain good LDPC codes; so they can be designed 
through algorithms that work directly on the parity-check matrix, aiming at maximizing 
the cycles length, like the Progressive Edge Growth (PEG) algorithm fHfl . The codes 
obtained are unstructured, in the sense that the positions of 1 symbols in each row (or 
column) of the parity-check matrix are independent of the others. This feature influences 
complexity of the encoding and decoding stages, since the whole matrix must be stored 
and the codec implementation cannot take advantage of any cyclic or polynomial na- 
ture of the code. In this case, a common solution consists in adopting lower triangu- 
lar or quasi-lower triangular parity-check matrices, that correspond to sparse generator 
matrices, in such a way as to reduce complexity of the encoding stage Ifl9ll . 

Opposite to this approach, structured LDPC codes have also been proposed, whose 
parity-check matrices have a very simple inner structure. Among them, QC-LDPC codes 
represent a very important class, able to join easy encoding of QC codes with the aston- 
ishing performance of LDPC codes. For this reason, QC-LDPC codes have been included 
in several recent telecommunication standards and applications B20I21L 

QC-LDPC codes have both length and dimension multiple of an integer p, that is, 
n = nop and k = kop. They have the property that each cyclic shift of a codeword by 
no positions is still a valid codeword. This reflects on their parity-check matrices, that 
are formed by circulant blocks. A p x p circulant matrix A over GF(2) is defined as 
follows: 
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(5) 



where ai G GF(2),i = Q.. .p- 1. 

A simple isomorphism exists between the algebra of p x p binary circulant matrices 
and the ring of polynomials GF(2) [x]/ (x p + 1). If we denote by X the unitary cyclic per- 
mutation matrix, the isomorphism maps X into the monomial x and the circulant matrix 
2~2^Zn oti~K % into the polynomial 53f=o a i xl ^ GF(2)[x\/(x p + 1). This isomorphism 
can be easily extended to matrices formed by circulant blocks. 



Let us focus attention on a particular family of QC-LDPC codes, having the parity- 
check matrix formed by a single row of tiq circulant blocks, each with row (column) 
weight d v : 



H=\H \H 1 \...\H. 



(6) 



If we suppose (without loss of generality) that H„ _i is non singular, a valid generator 
matrix for the code in systematic form can be expressed as follows: 



where I represents the k x k identity matrix. 

Very simple methods for designing parity-check matrices in the form (O, free of 
length-4 cycles, are those exploiting differences families and their variants [22 23 24 1. 
Such methods are based on the observation that, if we denote as hi, i = . . . no — 1, 
the vector containing the positions of 1 symbols in the first row of EL, the absence of 
length-4 cycles in H is ensured when all the h/s have disjoint sets of differences modulo 
p. Sets of h/s with such property can be obtained on a random basis, so yielding large 
families of codes with identical parameters [ 1 3 1 . 

All the codes in a family share the characteristics that mostly influence performance 
of belief propagation decoding, that are: code length and dimension, parity-check matrix 
density, nodes degree distributions and cycles length distribution. So, they have equiva- 
lent error correction performance under belief propagation decoding. 

In order to apply such codes within the framework of the McEliece cryptosystem, it 
is interesting to assess their error correction capability over a channel that adds exactly t 
errors in each codeword. This channel can be seen as a variant of the Binary Symmetric 
Channel (BSC), and will be denoted as the McEliece channel in the following. This eval- 
uation can be done through numerical simulations: Figure [2] shows the performance in 
terms of Bit Error Rate (BER) and Frame Error Rate (FER) of three QC-LDPC codes that 
will be of interest in the following. They have (n, k) = (16384, 12288), (24576, 16384) 
and (49152, 32768), respectively. 

It is important to note that the decoding radius of LDPC codes over the McEliece 
channel cannot be determined analytically, as instead occurs for Goppa codes; so, we can 
only choose values of t that are able to ensure an extremely low error rate. 

2.2. McEliece cryptosystem adopting QC-LDPC codes 

The adoption of QC-LDPC codes in the McEliece cryptosystem can yield important 
advantages in terms of key size and transmission rate. As any other family of linear 
block codes, QC-LDPC codes are exposed to the same attacks targeted to the original 
cryptosystem; among them, decoding attacks represent the most dangerous ones (as it 
will be shown in Section [3~3l >. 

Moreover, the adoption of LDPC codes could expose the system to new attacks, 
due to the sparse nature of their matrices. It was already observed in fPH that LDPC 
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Figure 2. Performance of some QC-LDPC codes over the McEliece channel. 



matrices cannot be used for obtaining the public key, not even after applying a linear 
transformation through a sparse matrix. In this case, the secret LDPC matrix could be 
recovered through density reduction attacks, that aim at finding the rows of the secret 
matrix by exploiting their low density II 121251 . 

One could think to replace LDPC matrices with their corresponding generator ma- 
trices that, in general, are dense. Actually, this is what happens in the original McEliece 
cryptosystem, where a systematic generator matrix for the secret Goppa code is used, 
hidden through a permutation. However, a permutationally equivalent code of an LDPC 
code is still an LDPC code, and the rows of its LDPC matrix could be found by searching 
for low weight codewords in the dual of the secret code. We call this strategy attack to 
the dual code: it aims at finding a sparse representation for the parity-check matrix of the 
public code, that can be used for effective LDPC decoding. 

So, when adopting LDPC codes in the McEliece cryptosystem, it does not suffice to 
hide the secret code through a permutation, but it must be ensured that the public code 
does not admit sparse characteristic matrices. For this reason, it has been proposed to 
replace the permutation matrix P with a different transformation matrix, Q lfl3l . Q is a 
sparse nXn matrix, with rows and columns having Hamming weight m > 1. This way, 
the LDPC matrix of the secret code (H) is mapped into a new parity-check matrix that is 
valid for the public code: 

H' = H Q T . (8) 

Depending on the value of m, the density of H' could be rendered high enough to avoid 
attacks to the dual code. 



Table 1. Choices of the parameters for the QC-LDPC-based McEliece cryptosystem. 



System 


n 


d v 


P 


m 


t' 


Key size (bytes) 


1 


4 


13 


4096 


7 


27 


6144 


2 


3 


13 


8192 


11 


40 


6144 


3 


3 


15 


16384 


13 


60 


12288 



In the modified cryptosystem, Bob chooses a secret LDPC code by fixing its parity- 
check matrix, H, and selects two other secret matrices: a k x k non singular scrambling 
matrix S and an n x n non singular transformation matrix Q with row/column weight 
m. Then, Bob obtains a systematic generator matrix G for the secret code and produces 
his public key as follows: 

G' = S 1 G Q -1 . (9) 

It should be noted that the public key is a dense matrix, so the sparse character of LDPC 
codes does not help reducing the key length. However, when adopting QC-LDPC codes, 
the characteristic matrices are formed by circulant blocks that are completely described 
by a single row or column. This fact significantly reduces the key length that, moreover, 
increases linearly with the code length. 

The encryption map is the same as in the original cryptosystem: G' is used for 
encoding and a vector e of intentional errors is added to the encoded word. The Hamming 
weight of vector e, in this case, is denoted as t'. The decryption map must be slightly 
modified with respect to the original cryptosystem. After having received a ciphertext, 
Bob must invert the transformation as follows: 

x' = x Q = u S 1 G + e Q, (10) 

thus obtaining a codeword of the secret LDPC code affected by the error vector e ■ Q 
with weight < t = t'm. After that, Bob must be able to correct all the errors through 
LDPC decoding and obtain u • S _1 , due to the systematic form of G. Finally, he can 
recover u through multiplication by S. 

It should be noted that the introduction of the transformation matrix Q in place 
of the permutation matrix causes an error amplification effect (by a factor m). This is 
compensated by the error correction capability of the secret LDPC code, that must be 
able to correct t errors. 

Based on this scheme, two possible choices of the system parameters have been 
recently proposed, that are able to ensure different levels of security against currently 
known attacks |26|. A third choice is here considered that demonstrates how the cryp- 
tosystem scales favorably when larger keys are needed for facing efficient implementa- 
tions of the attacks, as the one proposed recently. For the three codes considered (whose 
performance is reported in Figure [2]), t = 189, 440 and 780 has been assumed, respec- 
tively, and m and t' have been fixed accordingly. The considered values of the parameters 
are summarized in TableQ] It should be noted that the key size is simply k^n^p, since the 
whole matrix can be described by storing only the first row (or column) of each circulant 
block. 



Table 2. Work factors of attacks to the dual code. 



System 


no 


d v 


V 


m 


Max WF 


10 (WF > 2 80 ) 


1 


4 


13 


4096 


7 


2 153 


179 


2 


3 


13 


8192 


11 


2 250 


127 


3 


3 


15 


16384 


13 


2 340 


124 



3. Attacks and countermeasures 

For the sake of conciseness, this section considers only the attacks that are able to achieve 
the lowest work factors for the considered cryptosystem, together with their possible 
countermeasures . 

3.1. Attacks to the dual code 

This kind of attacks exploits the fact that the dual of the public code, that is generated by 
H', may contain low weight codewords, and such codewords can be searched through 
probabilistic algorithms. Each row of H' is a valid codeword of the dual code, so it has 
at least A w > (n — k) codewords with weight w < d c m, where d c = n^d v is the row 
weight of H. 

It should be observed that d c <C n and the supports of sparse vectors have very 
small (or null) intersection. So, by introducing an approximation, we can consider A w rj 
(n — k). With similar arguments, and assuming a small m, we can say that the rows of 
H' have weight w ss d c m = n^d v m. 

One of the most famous probabilistic algorithms for finding low weight codewords is 
due to Stern [4 1 and exploits an iterative procedure. When Stern's algorithm is performed 
on a code having length n$ and dimension ks, the probability of finding, in one iteration, 
one of A w codewords with weight w is ll27l : 

(w\(n s —w\ (w-g\(ns-k s /2-w+g\ /ns -k s -w+2g\ 

p . \gj\k s /2~gl \ g A k s /2-g J { j ) 

r w , Aa ^^W , ns x ' { ns-k s /2\ ' (ns-k s \ ' (LL > 

\k s /2) { ks /2 ) Kit 

where g and I are two parameters whose values must be optimized as functions of the 
total number of binary operations. So, the average number of iterations needed to find a 
low weight codeword is c > P~\ . Each iteration requires: 

N _ + h3(ns _ ksf + 2J ,(W) + ^Mgf (12) 

binary operations, so the total work factor is WF = cN. 

In the present case, Stern's algorithm is used for attacking the dual of the public 
code, so ns = n and k$ = n — k. Table [2] reports the values of the maximum work 
factor achieved (i.e., when w = d c m) by the considered solutions, together with the 
minimum value of w needed to have work factor > 2 80 (noted by w(WF > 2 80 ) in 
the figure). Based on these results, it seems that all the three systems can be considered 
secure against attacks to the dual code. 



3.2. OTD attacks 



In the cryptosystem version proposed in |[T3l , both S and Q were chosen sparse, with 
non-null blocks having row/column weight m, and 
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This gave raise to an attack formulated by Otmani, Tillich and Dallot, that is here denoted 
as OTD attack 1 16 1. 

The rationale of this attack lies in the observation that, by selecting the first k 
columns of G', an eavesdropper can obtain 



G' <k = S" 



Qo 1 

o Qr 1 








Qno-2 



(14) 



Then, by inverting G' <k and considering its block at position (i, j), he can obtain Q^S 
that corresponds to the polynomial 



9i,j{x) = qi(x) ■ s it j(x) mod (x p + 1) 



(15) 



If both Qj and S^.j are sparse, it is highly probable that gij(x) has exactly m 2 non-null 
coefficients and that its support contains at least one shift x la ■ qi(x), < l a < p — 1. 

Three possible strategies have been proposed for implementing this attack. Accord- 
ing to the first strategy, the attacker can enumerate all the 771-tuples belonging to the sup- 
port of gij(x). Each m-tuple can be then validated through inversion of its correspond- 
ing polynomial and multiplication by gij(x). If the resulting polynomial has exactly m 
non-null coefficients, the m-tuple is a shifted version of qi(x) with very high probability. 
The second strategy exploits the fact that it is highly probable that the Hadamard prod- 
uct of the polynomial gi.j(x) with a <i-shifted version of itself, gfj(x) * gij(x), gives a 
shifted version of qi(x), for a specific value of d. The eavesdropper can hence calculate 
all the possible gfj(x) * gij(x) and check whether the resulting polynomial has m non 
null coefficients. As a third strategy, the attacker can consider the i-th row of the inverse 
ofGl 



R-i — [QiS^olQiSi 



n Q -2\ 



The linear code generated by 

Gotds = (QA,o) 1 • R-i = [l|Sj.o S^i I ■ • ■ S^o §1,710-2] 
admits an alternative generator matrix: 



(16) 



(17) 



g: 



OTD3 



SifiG()TD3 — [Sj,o|Sj 



(18) 



that coincides with a block row of matrix S. When matrix S is sparse, the code defined 
by G'qtd3 contains low weight codewords. Such codewords coincide with the rows of 
G' OTD3 and can be effectively searched through Stern's algorithm. 

With the choice of the parameters made in 1131 . that is almost coincident with the 
first choice in TableQ] the three OTD attack strategies would require, respectively, 2 50 3 , 
2 36 and 2 32 binary operations. These low values can be easily reached with a standard 
computer, so that cryptosystem must be considered broken. 

However, the OTD attacks rely on the fact that both S and Q are sparse and that 
Q has block-diagonal form. So, they can be effectively countered by adopting dense S 
matrices, without altering the remaining system parameters. With dense S matrices the 
eavesdropper cannot obtain and Sij, even knowing Q^S^-, the probability that the 
support of gi t j(x) contains that of at least one shift of qi(x) becomes extremely small 
and the code generated by Gotdts does not contain any more low weight codewords. 

For preserving the ability of correcting all the intentional errors, it is important that 
Q remains sparse (with row/column weight m). The choice of a dense S influences 
complexity of the decoding stage, that, however, can be reduced by resorting to efficient 
computation algorithms for circulant matrices [26|. 

3.3. Decoding attacks 

As stated in the Introduction, the most promising attacks against the McEliece cryptosys- 
tem are those aiming at solving the general decoding problem, that is to obtain the error 
vector e used for encrypting a ciphertext. 

It can be easily shown that e can be searched as the lowest weight codeword in the 
extended code generated by 

(19) 

In order to evaluate the work factor of such attacks, we refer to Stern's algorithm, 
whose complexity can be easily evaluated in closed form, as already shown in Section 
13.11 Stern's algorithm has been further improved in [5 | and, very recently, in [6|. Esti- 
mating the work factor of such modified algorithms is more involved, and requires mod- 
eling the attack through Markov chains. For this reason, we continue to refer to Stern's 
original formulation. For our purposes, it seems sufficient to take into consideration that 
the adoption of optimized algorithms could result in a further speedup of about 12 times, 
as reported in (6). According with the expressions reported in Section |3~T1 the work fac- 
tor of a decoding attack against the original McEliece cryptosystem based on Stern's 
algorithm would be 2 63 5 . 

In the considered cryptosystem based on QC-LDPC codes, an extra speedup could 
result by considering the quasi-cyclic nature of the codes. This yields that every block- 
wise cyclically shifted version of the ciphertext x is still a valid ciphertext. So, an eaves- 
dropper could continue extending G" by adding shifted versions of x, and could search 
for as many shifted versions of the error vector. Figure [3] reports the values of the work 
factor of decoding attacks to the considered cryptosystem as functions of the number of 
rows added to G'. The three considered choices of the system parameters reach, respec- 
tively, a minimum work factor of 2 65 6 , 2 75 8 and 2 106 5 binary operations. 

Being the smallest work factors reached by currently known attacks, these values 
can be considered as the security levels of the three cryptosystems. 
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Figure 3. Work factor of decoding attacks based on Stern's algorithm. 



4. Complexity 

In order to compare the considered cryptosystems with more consolidated solutions, it is 
important to estimate the complexity of both its encryption and decryption stages. 

The encryption complexity is dominated by LDPC encoding, that coincides with 
calculating the product u • G'. The number of binary operations needed by such task is 
denoted as C mu i (u ■ G'). Further n operations must be considered for addition of the 
intentional error vector e. So, the encryption complexity can be expressed as follows: 

Cenc = C mu i (u • G') + n. (20) 

The computational cost of matrix multiplication can be reduced by exploiting the 
fact that each matrix is formed by p x p binary circulant blocks. Due to the isomorphism 
with the ring of polynomials GF(2)[x]/ (x p + 1), efficient algorithms for polynomial 
multiplication over finite fields can be adopted. We refer to the Toom-Cook method, that 
is very efficient in the cases of our interest, but other strategies are possible [26 ] . 

As regards decryption complexity, it can be split into three contributions, corre- 
sponding to: i) calculating the product x • Q, ii) decoding the secret LDPC code and iii) 
calculating the product u' • S. So, it can be expressed as follows: 

Cdec = Cmui (x ■ Q) + CsPA + C m ul (u ■ S) , (21) 

where Cs pa is the number of operations required for LDPC decoding through the sum- 
product algorithm. By referring to the implementation proposed in 11281 . we can express 
Cspa as follows: 



Table 3. Parameters of the considered cryptosystems. 





McEliece 


Niederreiter 


RSA 


QC-LDPC 


QC-LDPC 


QC-LDPC 




(1024, 524) 


(1024, 524) 


1024-bit mod. 


McEliece 1 


McEliece 2 


McEliece 3 








public exp. 17 








Key Size " 


67072 


32750 


256 


6144 


6144 


12288 


Rate 


0.51 


0.57 


1 


0.75 


0.67 


0.67 


k b _ 


524 


284 


1024 


12288 


16384 


32768 


Cenc — 


514 


50 


2402 


658 


776 


1070 




5140 


7863 


738112 


4678 


8901 


12903 



"Expressed in bytes. 
''Information block length (bits). 

c Number of binary operations per information bit for encryption. 
''Number of binary operations per information bit for decryption. 

C S PA = lave • « fa (M v + 12R - 11) + d v ] , (22) 

where I ave is the average number of decoding iterations and q is the number of quanti- 
zation bits used inside the decoder (both of them can be estimated through simulations). 

By using Eq. (f20b and (fJTJ, it is possible to estimate the encryption and decryption 
cost in terms of binary operations per information bit. This has been done in Table|3] that 
summarizes the main parameters of the considered cryptosystems and compares them 
with those of more consolidated solutions (for the first three systems the complexity 
estimates are reported from 0). 

It can be noticed that all the three systems based on QC-LDPC codes have shorter 
keys and higher rates with respect to the original McEliece cryptosystem and the Nieder- 
reiter version; so, they succeed in improving their main drawbacks. In particular, the first 
QC-LDPC-based system, that reaches a security level comparable with that of the origi- 
nal McEliece cryptosystem, has key size reduced by more than 10 times with respect to 
it and more than 5 times with respect to the Niederreiter version. Furthermore, the new 
system has increased transmission rate (up to 3/4). 

The security level can be increased at the expenses of the transmission rate: the 
second QC-LDPC-based system has same key size as the first one, but its transmission 
rate is reduced from 3/4 to 2/3. As a counterpart, its security level is increased by a 
factor of about 2 10 . 

Larger keys can be adopted in order to reach higher security levels, that are needed 
for facing efficient decoding attacks implemented on modern computers. The third QC- 
LDPC-based system is able to reach a security level of 2 106 5 by doubling the key size 
(that is still more than 5 times smaller than in the original cryptosystem). It should be 
noted that the system scales favorably when larger keys are needed, since the key size 
grows linearly with the code length, due to the quasi-cyclic nature of the codes, while in 
the original system it grows quadratic ally. 

As concerns complexity, it can be observed that the first QC-LDPC-based cryptosys- 
tem has encryption and decryption costs comparable with those of the original McEliece 
cryptosystem. The Niederreiter version is instead able to significantly reduce the encryp- 
tion cost. Encryption and decryption complexity increases for the other two QC-LDPC- 
based variants, but it still remains considerably lower with respect to RSA. On the other 
hand, RSA has the smallest keys and reaches unitary rate. 



5. Conclusion 



It has been shown that the adoption of LDPC codes in the framework of the McEliece 
cryptosystem can help overcoming its drawbacks, that are large keys and low transmis- 
sion rate. However, such choice must be considered carefully, since the sparse nature of 
the characteristic matrices of LDPC codes can expose the system to classic as well as 
newly developed attacks. In particular, the misuse of sparse transformation matrices can 
expose the system to total break attacks, able to recover the secret key with reasonable 
complexity. 

The adoption of dense transformation matrices permits to avoid such attacks, and 
the quasi-cyclic nature of the codes still allows to reduce the key size. Furthermore, the 
McEliece cryptosystem based on QC-LDPC codes can exploit efficient algorithms for 
polynomial multiplication over finite fields for encryption and low complexity LDPC 
decoding algorithms for decryption, that reduce its computational complexity. 

For these reasons, it seems that the considered variants of the McEliece cryptosystem 
can be seen as a trade-off between its original version and other widespread solutions, 
like RSA. 
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